Taxonomy of Communcations Intelligence
Cryptography
is otten considered, particularly by those primarily con-cerned
with security, to be the only serious barrier to communications
intelligence. Histories of the field have generally fostered this
impression by painting a picture of war between codemakers and
codebreakers. In practice, spying on communications is a
multi-stage activity in which each
stage
plays an essential role. It is entirely possible that the
cryptanalysis of a message, once the message has been identified
and captured, may be less difficult than acquiring and filtering
the traffic to locate it. On balance, the greatest problem in
communications intelligence--as in most efforts to learn
things--is sorting out the information you are after from the
information
you are not.
The
'sine qua non' of communications intelligence is acquisition of
signals. Without communications in the form of radio waves,
electrical currents in wires, written materials, or copied disks and tapes, there can be no work for cryptographic or intelligence
analyst. The interception of communications presents both a
strategic and a tactical aspect.
Strategically,
it is crucial to learn as much as one can about an opponent's
communications infrastructure. The first step is to come up with
the most precise possible description of the target--what the
military call the 'order of battle'. If the target is a country,
it may have millions of residents who in turn make millions of
phone calls every days. Most of these calls are not of interest;
the people who make them do not work for the government or in
critical industries and say little of intelligence value.
Describing the target is one of the many areas where 'collateral
intelligence-- information from sources other than covert
interception of communications plays a vital role. Most of the
information about a country and its government can be
learned
from open sources, such as phone books, newspapers, histories, and
government manuals. Some, however, will come from covert sources
such as spies, and some will come from communications intelligence
itself.
Once
the targets have been precisely identified, it is necessary to
discover how they communication with one another. Are their
communications carried by high-frequency radio, by satellite, or
by microwave? How accessible the communications are and how they
can be acquired is a function of the means chosen. High-frequency
radio and satellite trasmissions are the most accessible. At the
time of World War II, most radio communications and thus most of
what was intercepted was HF. Such signals bounce back and fourth
between the ionosphere and the ground and can travel thousands of
miles. This property
makes
intercontinental radio communication possible; at the same time,
it makes it essentially impossible to keep HF signals out of the
hands of opponents. Today a large fraction of radio communication
is carried by sattelite. Satellite downlinks typically have
'footprints' thousands of miles across that spread over more than
one country. Terrestrial microwave communications are
significantly harder to intercept. They travel between
towers
a few miles or tens of miles apart. Intercept facilities on the
ground must generally be located within a few tens of miles of the
micro- wave path and often require facilities in the target
country. In the 1970s and the 1980s, there was a war of words
between US and Soviet diplomats over Soviet microwave interception
activities from a residence the Soviet maintained at Glen Cove,
New York (Broad 1982).
As
with the organization structure, a target's communication
practices can often be derived from open sources. Since national and international organizations cooperate in allocating the radio
spectrum, it is easier to identify the frequencies used for
millitary, police, or air traffic control communications by
consulting regulations and standards than by direct spectrum
monitoring.
The
output of the strategic of 'targeting' phase of communications in-
telligence is a map of the opponent's communications, which will
guide the selection of locations, frequencies, and times of day at
which moni- toring is conducted. Interception can also be
conducted from many sorts
of
platforms; ground stations, aircraft, ships, embassies, covert
locations, and orbiting satellites.
The
United States has several major intercept facilities within its
borders and a host of others abroad. Despite attempts to keep
these locations secret, many, including Menwith Hill in Britain,
Alice Springs in Australia, ALERT in Canada, Osburg in Germany,
Misawa in Japan, Yakima in U.S. Washington,
Sugar
Grove in U.S., Karamürsel in Istanbul, Camp Humphreys in
China, Bad Aibling in Austria, Kunia in Marcus Necker Ridge, and
Shemaya in Aleutian Islands.
The
Soviet Union made extensive use of small ships as collection
platforms. Usually operating under very thin cover as fishing
trawlers, these boats carried large antennas and were thought to
be making their biggest catch in the electromagnetic spectrum. The
United States has been less successful
with
this approach. In the 1960s it commissioned two ships described as
research vessels, the 'Liberty' and the 'Pueblo', for intercept
duty. The 'Liberty' was attacked by the Israelis, for no publicly
apparent reason, while supposedly intercepting Arab communications
in the Eastern Mediterranean during the Six Day War of 1967. A
year later, the 'Pueblo' was captured by the North Koreans. It
turned out to have been carrying many top-secret documents for
which it had no apparent need, and most
of
these fell to its captors. As quietly as it has begun, the United
States
ceased using small ships as collection platforms.
Airborne
collection, by comparison, has been an important component of US
COMINT for decades. Boeing 707s, under the military designation
RC-135, are equipped with antennas and signal-processing
equipment. These aircraft can loiter off foreign coasts for hours
at a time. Flying at altitudes of 30,000 feet or higher, they can
pick up radio transmissions from well inland.
The
use of embassies to do intercept work exemplifies the
twilight-zone character of intelligence. Despite widespread
'knowledge' that many em- bassies are engaging in intelligence
collection, such activity is a breanch of diplomatic etiquette
that could result in diplomat's being asked to leave the host
country if discovered. All the equipment used must therefore be
smuggled in or constructed on the spot and must be made from
components small enough to fit inconspicuously in the "dip-
lomatic
bag"--a troublesome limitation of sizes of antennas. Politics
and public relations aside, if an embassy is not suspected of
interception, it is likely to be more successful. Mike Frost, a
Canadian intelligence officer who spent most of his career
intercepting host-country communications from Canadian embassies,
reported that the Chinese put up a building to
block
radio reception at the US embassy in Beijing but failed to protect
themselves against the Canadian embassy because they did not
realize that it too was engaged in interception (Frost 1994).
Interception
can also be conducted from covert locations that do not enjoy the
legal protection of diplomatic immunity. Britain operated a covert
direction-finding facility in neutral Norway during World War I
(Wight 1987, p. 9). In the early 1950s, the CIA established a
group known as "Staff D" to carry out interception from
covert locations.
One
of the most ambitious undertakings in communications intelligence
has been the development of intercept satellites, which did not
arrive on the scene till roughly a decade after their
camera-carrying cousins. Low-altitude satellites are not well
suited to intercept work. They are relatively close to the
transmitter, which is good, but they are moving quickly relative
to the Earth, which is not. No sooner have they acquired
a
signal than they move on and lose it again, because the source has
passed below the horizon. The comparison with communications
satellites is interesting. The mainstay of satellite-mediated
communications has been satellites in synchronous orbits, 22,500
miles up. Only recently have
communications
satellites been placed in low orbits. Tens of satellites are
required so that as soon as one moves out of range of a
transmitter on the ground, another comes close enough to take
over. Systems of this kind have the advantage that the satellites
and the transmitters are cooperating. A system in which the
satellites were attempting continuous coverage of uncooperative
targets would be far more complex, and to our
knowledge,
none has been attempted.
Because
they are in very high orbits, intercept satellites must carry
antennas tens or hundreds of feet across. It is difficult to make
an antenna of this size light enough to be lifted into synchronous
orbit. In addition, the antenna must be launched in a folded
configuration, which adds complexity and detracts from
reliability. In sum, communications intercept satellites are more
complex and expensive than other types.
Because
of its huge size and the low population density of much of its
territory, the Soviet Union made more extensive use of radio
communications than the United States or Western Europe. Most of
the territory of the Soviet Union was far north and not
conveniently served by synchronous satellites, so the Soviets
developed a family of communication satellites, called Molniya,
that move in polar orbits. A "Molniya orbit" passes over
the Northern Hemisphere at very high altitude and thus moves quite
slowly during this part of its journey. Its perigee, in contrast
is low over the Southern Hemisphere, and that part of the trip
goes very quickly. The result is that most of the time the
satellite "hangs" above the Northern Hemisphere, where
it can be used for high-altitude communications. In order to spy
on these communications, the US built satellites, called Jumpseat,
that move in Molniya orbits. These satellites are in a position to
listen to both radio transmissions from the ground and those from
Molniya satellites.
Communications
intelligence depends for its success on tactical
as
well as strategic elements. When an intercept station has been put
in the right location, operates at the right time of the day,
points its antenna in the right direction, and tunes its radio to
the right frequencies, it is
rewarded with a flood of traffic too
large
to record, let alone analyze. The process of examinig in-
tercepted
traffic to determine what is to be retained and what is
not
may be as "simple" as detecting which channels within a
trunk are active or as complex as recognizing the topic of a
conversation. Typical selection processes include active channel
detection, called and calling number identification, speaker
identification, keyword spotting (in either text or voice), fax
recognition, and semantic information processing.
The
difficulty of locating and isolating just the right messages
is
an intrinsic consequence of the volume of traffic in modern
communications.
Communications intercept equipment must decide in a faction of a second whether to record a message it has detected or to permit
the message to escape. Often it must make the dicision to record
communications of which it has only one part. If, for example, the
two directions of a telephone call
are
carried on separate facilities, an individual intercept
point
may have access to only one side of the conversation.
Although
the entire call may in fact be recorded, so that both
sides
of the conversation will ultimately be available to an
analyst,
it wil be recorded by two devices acting independently.
Should
either fail to detect that the call is of interest, and
therefore
fail to record it, the utility of the other component
will
be vastly reduced. The problem of identifying traffic of
interest
among all possible traffic is the problem of 'search'.
Communications
are organized at many levels. The entities
communicating
have addresses--in radio these are called 'call signs' (commonly
known in the case of commercial stations as 'call letters'; in the
case of telephones they are telephone numbers; in the case of
computer networks, they are IP addresses, email addresses, URLs,
etc. Messages follow 'routes', which in turn are made up of
'links' or 'hops' on 'trucks'. Within an individual trunk,
messages are 'multiplexed' into channels, which make up the trunk
much as lanes make up a road.
At
the lowest level, intercept equipment sits and looks through
the
space in which messages might be found. At each frequency, or time
slot, or code pattern, it listens to see if there is any traffic
at all. It may well be the case that most of the channels in a
trunk are inactive most of the time.
When
intercept equipment detects an active channels, it must
decide
whether to record what it finds here. This depends on the
'diagnosis':
characterization of the form and the significance of
the
signal that has been found. If the channel is a telephone
channel,
for example, the likely possibilities are voice, fax, and
data.
The intercept device must try to decide what it is hearing
and
may then discriminate more carefully depending on the category.
The first step will usually be to listen for dial pulses or touch
tones and attempt to determine what number is calling and what
number is being called. If the call is voice, the device may
attempt to determine what language is in use, or even listen for
keywords. If the call is fax, it may try to determine whether the
transmission is text or pictures. If the call carries data, it
will attempt to determine what type of modem is in use and what
codes (ASCII, Baudot, EBCDIC) or data formats are present. When
text is detected, the equipment may go further and apply semantic
processing to determine the subject of the message in much the
same way that a search engine tries to locate a topic of interest
on the World Wide Web.
One
strategy followed by many pieces of intercept equipment should be
a caution to anyone using cryptography; if an intercepted message
is found to be encrypted, it is automatically recorded. This is
possible because at present only a small fraction of the world's
communications are encrypted. The first lesson to be drawn from
this is that if you encrypt something you had better do it well;
otherwise you will only succeed in drawing attention to yourself.
The second is that as the use of cryptography increases, the
privacy of everyone's traffic benefits.
Once
traffic has been diagnosed as interesting, it will be recorded.
This is not as simple as it sounds. Typically a signal can be
recorded in several different formats, depending on how well it
has been understood. It is always possible to make a recording of
the waveform being received, but this may turn out to be much
bulkier than the message it encodes. For example, recording a
modem signal carrying 2400 bits per second of information (about
240 characters a second), without demodulating it, uses up to
48-kilobyte-per-second capacity
of
a digital audio tape. A direct recording of the signal is thus
20
times the size of the message it contains.
Neither
diagnosis, nor recording, nor any form of analysis that
may
be done on an intercepted signal can be separated from 'signal
processing'--study of the signal by mathematical and computational
means. Digital signal processing (one of the fastest-growing areas
in computing) is revolutionizing communications. The availability
of $100 modems is a consequence of the availability of signal-
processing chips costing a few dollars apiece.
Demodulating
modem signals (which accounts for most of the signal processing in
data interception) is far harder for an intercept device than for the modems used by the sender and the receiver. Present-day modems
go through a period of training at the beginning of a call during
which they study the communications path and "discuss"
how best to make use of it. Even if the intercept device is
listening to this "conversation", it cannot transmit
without revealing its presence, and thus it cannot engage in the
negotiations. The signal quality available to the intercept device
is therefore rarely as good as that available to the communicating
modems.
Only
after traffic has been located, demodulated, and recorded do we
finally get to the most famous process in communications
intelligence, the process of breaking codes: crypanalysis. This
document is not the place for a technical discussion of
cryptanalysis (check my other papers for more on cryptanalysis);
such discussions now abound in both the technical and the
historical literature of cryptography. It is, however, the place
for a discussion of the process of cryptanalysis.
Most
of the public literature, both technical and historical, is
devoted
to 'research cryptanalysis', the process of breaking codes for the
first time. This is naturally an indispensable component of any
production cryptanalytic organization, but does not account for
most of its budget or most of its personnel. The object of
"codebreaking" is the development of 'methods' that can
be applied to intercepted traffic to produce plaintext. In modern
cryptanalysis, this is often done entirely by computers, without
human intervention.
The
process of converting ciphertext to plaintext is called
'exploitation'. It follows a process of 'diagnosis' closely
related to the more general diagnosis of traffic discussed above.
The
heart of a communications intelligence organization, however, is
not cryptanalysis but 'traffic analysis'-- a study of the overall
characteristics (length, timing, addressing, frequencies,
modulation etc.) of communications. Traffic analysis by itself
provides a broad picture of the activities of communicating
organizations (Wright 1987). Moreover, it is essential to
assessing the signaling plan, the traffic patterns, and the
relationships among communicating entities. Elaborate
databases
of observed traffic (Hersh 1986, pp. 258-259) underlie all comint
activities.
A
last operational point that bedevils communications intelligence
is 'retention'--the preservation of intercepted signals for short or long periods of time until they can be processed,
cryptanalyzed, interpreted, or used. As we have noted, storing a
signal that the holder is unable to restore to its original form
typically takes far more memory than storing an understandable
signal. This is justified because, enciphered messages can be of
value even if they are first read only months or years after they
were originally sent. During World War II, Allied cryptanalysts
were sometimes weeks or even months behind on some classes of
traffic (Welchman 1982). Some signals intercepted during the Cuban
missile crisis of 1962 were not read until two years later (Hersh
1987). In what is probably the granddaddy of ciphertext longevity,
Soviet messages sent in the 1940s were still being studied in the
1970s (Wright 1987). Managing the storage of intercepted material
is thus a major problem in all signals intelligence activities.
After
all of the technical processes characteristic of communications
intelligence, the 'product' enters in to the part of the process
common to information from all intelligence sources:
interpretation, evaluation,dissemination. One process looms larger
over comint than over perhaps any other intelligence material:
'sanitization'--removal from the intelligence product of
information that would reveal its sources. Sanitization to greater
or lesser degress produces intelligence of varying levels of
classification.
Contacting
the Author.
Http:
I'll make psyops.cjb.net soon.
IRC:
#DataCore@Undernet, #r00tAccess@DALnet
E-mail:
Psyops@evidence2k.de, psyops@scientist.com
1.)
Advanced
Password Generator *CRACK* -
metaray!abrams
2.)
News
Generator v3.0.17 *KEYGEN* -
metaray!abrams
3.)
Introduction
to PAM - Bryan Ericson
4.)
Taxonomy
of Communications Intelligence
- Psyops
5.)
A
look into Wiretapping - Psyops
